Is Single Sign-On (SSO) Secure?

As if 2018 hasn’t been a tough enough year on Facebook, it was released in late September thatthe social media giant was breached. The compromise itself was due to predators pouncing on several zero-day vulnerabilities, but it ultimately caused anguish and confusion for over 50 million Facebook users. The breach has also led several people to ask questions about Facebook, as well as identity security in general. Specifically, some are wondering, “is single sign-on (SSO) secure?”

Why That Question?

You may be wondering why, in a discussion about a Facebook hack, we would bring up SSO, but the two are more intertwined than you might think. Facebook has a number of partnered properties, including services such as Spotify, that link directly to a person’s Facebook account. By using their Facebook account, people can log into a variety of services with one identity. In practice, this functionality is quite convenient, but after those identities have become compromised, it becomes a source of worry.

Facebook isn’t actually an SSO solution for businesses, however. Compared to the vast field that is SSO, Facebook’s single sign-on functionality is more a trite novelty than a true, full-fledged solution. So, it’s unfair to ask if single sign-on is secure just because a non-player in the scene got breached, when in fact the entire SSO industry is actually dedicated to creating secure centralized identities.

TheActualSSO Market

The SSO space is filled with Software-as-a-Service (SaaS) solutions that bridge the gap between a user identity (usually from a directory service like Microsoft®Active Directory®) and web applications like Salesforce, GitHub, Trello, etc. While this is very similar to what Facebook’s “SSO” can do, the implications can have a far greater impact. Generally, these SSO solutions are leveraged by organizations looking to protect their sensitive company data by regulating and monitoring access via a directory service. With an SSO solution, companies can limit the attack vectors created by forgotten or inadequate passwords. By this definition, single sign-on actually promotes security, as opposed to compromising it.